SOLVED FOG/Powershell not copying to Win32/GroupPolicy/Adm

  • Below is my script. Everything works except the Copy-Item line. I’ve tested copying the files to other locations and it works then. When it comes to copying the file to that location it just doesn’t want to do it. Other things I’ve tried, -path, move-item, took out all environmental variables.

    #Powershell %~dp0
    $scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
    #installs Chrome
    Start-Process $scriptPath\ChromeInstall.msi /q -wait -WindowStyle hidden
    #imports registry!
    Reg import $scriptPath\chrome_settings.reg
    #copies over .adm files                                                            
    copy-Item -LiteralPath 'C:\Program Files (x86)\FOG\tmp\ChromePowerShell\chrome.adm' -Destination 'C:\Windows\System32\GroupPolicy\Adm' -Force -Verbose -Recurse
    copy_item -LiteralPath 'C:\Program Files (x86)\FOG\tmp\ChromePowerShell\GoogleUpdate.adm' -Destination 'C:\Windows\System32\GroupPolicy\Adm' -Force -Verbose -Recurse
    #force GroupPolicy update
    Start-Process gpupdate /force  -WindowStyle hidden
    #Remove-Item -path 'C:\Program Files (x86)\FOG\tmp\ChromePowerShell'

    ** mod edit to distinguish code **

  • @Tom-Elliott Tried running the script w/ psexec w/ all files in appropriate locations and it ran w/o an issue doing everything it was supposed to. Unfortunately FOG still doesn’t seem to want to copy those 2 files. GroupPolicy is a hidden folder, could that be causing an issue?

  • Testers

    @victorkrazan6267 I just read this part after making my domain central store reccomendations.
    We have some non-domain computers and I utilized copying the admx files to C:\Windows\PolicyDefinitions for setting the policies in local group policies. You could theoretically embed them in your image as well.

    You can also use the policyfileeditor module
    to edit the local group policy as part of that script.

    i.e. to set chrome to always open pdfs externally you could do

    $machinePol = "C:\WINDOWS\system32\grouppolicy\machine\Registry.pol";
    $chromeKey= "Software\policies\google\chrome";
    Set-PolicyFileEntry $machinePol -key $chromeKey -ValueName "AlwaysOpenPdfExernally" -Data 1 -Type DWord;

    It takes a little time to learn that module. But it’s pretty useful to have a way to script changes to local group policies.

  • Testers

    So this is an idea unrelated to your script syntax
    Do you have access to your active directory central store and are all the computers involved in AD?
    Based on what you have written you’re using the adm policy templates for applying chrome policies via group policy that you had set at the AD level.

    If you copy the admx files to the central store they’ll get copied down to each AD joined computer automatically. Is that an option for you?

    I believe that the folder you’re copying to has some extra security built into it or something. I remember reading that once upon a time. You can use the chrome.admx file and the googleUpdate.admx files from where you got the adm files and copy them to c:\windows\policyDefinitions and that will work fine. I used to do it that way before I started just including them in the domain central store which can be accessed (read\write) remotely via \\domainControllerHostname\C$\Windows\SYSVOL\sysvol\domainFqdn\Policies\PolicyDefinitions You may have to login to the domain controller and find the local folder of that share.
    I think you can copy adm files to either the central store or local store too, but I’ve read that admx files are the better option. I can’t remember why but I recall it being convincing.

    I hope that helps.

  • @quazz Yes they do.

  • Moderator

    Does the destination folder actually exist already?

  • @tom-elliott Yep, went to FOG/tmp to make sure that they were being extracted to ChromePowerShell. If i change -Destination to C:\Users<User>\Desktop the files will be copied to the desktop.

  • Senior Developer

    @victorkrazan6267 and you’re sure ChromePowersShell files exist in the fog\tmp folder?

  • @tom-elliott Whoops typo. Yes both are failing.

  • @george1421 SYSTEM has full permissions. The files are going onto a laptop that will be going out to the field and techs don’t come into the offices often. I did try using $scriptPath, but It still wasn’t copying the files. Yes its in a powershell snapin pack.

  • Moderator

    @victorkrazan6267 So I have to ask the question, what permissions are on that directory [C:\Windows\System32\GroupPolicy\Adm] is it owned by the trusted installer? The FOG service runs as the SYSTEM account. Any rights that SYSTEM has, can do the FOG service should do.

    But on a lower level I have to ask why are you doing this? Typically the ADM files are only used on the domain controller or any system that needs to configure the GPO policies. The workstations that consume the policies don’t need the ADM files locally.

    The other comment I would have is to not use the full path to the FOG TMP directory. Use %~dp0 to identify the local path. If for some reason the FOG client is installed in a different directory your script will break.

    Finally I assume you are creating a snapin pack and deploying it that way, that way all of your files are copied over to the target computer.

  • Senior Developer

    @victorkrazan6267 I see 2 copy items and the second is written copy_item while the first one seems proper syntax of copy-item

    Are both failing?